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(54) Method and apparatus for incremental delivery of access rights 



(57) Incremental delivery of authenticated access 
rights to an access control processor is provided. Sub- 
groups of the access rights are communicated to the 
processor in a plurality of messages. The subgroups are 
stored in different data banks within the processor, and 
validity designations associated with the data banks indi- 



cate whether the data currently stored therein has been 
authenticated under a cryptographic key currently in use. 
Access under a particular key is limited to that provided 
by access rights contained in storage banks having a 
vaiklity designation in a valid state for that key 
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Description 

BACKGROUND OF THE INVENTION 

The present invention relates generally to security s 
apparatus for infornnation processing systems, and more 
particularly to the incremental delivery of authenticated 
access rights to an access control processor. The inven- 
tion is particularly useful in connection with the secure 
transmission of premium television services via satellite io 
or cable, but is not limited to such applications. 

There are many schemes available for controlling 
access to electronic signals, such as those providing pre- 
mium television services. Such schemes are necessary 
to maintain security, for example in subscription teievi- is 
sion systems such as cable television and satellite tele- 
vision systems. Typically, a system subscriber is 
provided with a decoder connected between a television 
signal source (e.g., cable feed or satellite receiver) and 
a television set. Each subscriber's decoder is remotely 20 
accessed by the system operator to enable or disable 
the receipt of specific services such as the Home Box 
Office (HBO) movie channel or special pay-per-view 
sports events. 'One problem with such systems Is that 
"pirates" may attempt to break the system security and 25 
sell "black boxes" that enable the reception of all pro- 
gramming without paying for the services received. It has 
been difficult and expensive for system operators to con- 
tend with the piracy problem. 

Various systems have been designed to make piracy 30 
more difficult. One such system is disclosed in U.S. pat- 
ent no. 4.613.901 to Gilhousen. et al. entitled "signal 
Encryption and Distribution System for Controlling 
Scrambling and Selective Remote Descrambling of Tel- 
evision signals." In the Gilhousen, et al. scheme, various 35 
cryptographic keys are used to provide an encrypted tel- 
evision signal. Among the keys described are category 
keys, each common to a different subset of subscriber 
decoders. It is also known to provide program keys, in 
which each television program has a specific key asso- 40 
dated therewith that is necessary to descramble or 
decrypt the particular program signal. 

U.S. patent 5.115.467 to Esserman, et al. entitled 
"Signal Encryption Apparatus for Generating Common 
and Distinct Keys" also deals with the security issue. The 4s 
generation of various different types of keys and their use 
is disclosed in the patent. 

An example of a prior art communication system 
using encrypted category keys and program keys is the 
VideoCipher® 11+ scrambling system produced and so 
licensed by General Instrument Corporation of San 
Diego, California to provide encrypted satellite television 
communication. The encrypted category key is derived 
from a category key, a unit key specific to a subscriber 
decoder, and access rights defining which services the ss 
particular subscriber is entitled to receive. TTie access 
rights are authenticated in the category key. which gen- 
erally changes monthly. 



In the VideoCipher 11+ system, and other known sys- 
tems, it has been necessary to provide the authenticated 
access rights with the encrypted category key in a single 
"category rekey" message. The access rights may be 
many t)ytes in length. Each category rekey message has 
a limited length. For example, category rekey messages 
in a particular system may be limited to two hundred 
bytes. Such limitations are typically required by the size 
of the buffer (e.g, RAM) which receives the message in 
the access control processor. If the number of bytes 
required to define access rights were fo become too 
large, a single category rekey message could not hold 
the full description. 

It would be advantageous to provide an access con- 
trol system in which access rights can be delivered incre- 
mentally, In more than one category rekey message. It 
would be further advantageous to provide such a system 
that would operate even after only a partial set of access 
rights has been received. It would be still further advan- 
tageous to provide such a system that can receive partial 
sets of access rights in any order, without adversely 
affecting system operation. 

The present invention provides a system for incre- 
mentally delivering access rights having the aforemen- 
tioned and other advantages. 

SUMMARY OF THE INVENTION 

In accordance with the present invention, a method 
is provided for incrementally delivering authenticated 
access rights to an access control processor. Data defin- 
ing the access rights is divided into a plurality of sub- 
groups. The subgroups are transmitted to the processor 
as authenticated data in a plurality of messages. A cur- 
rent cryptographic key Is derived using the authenticated 
data contained in a current message upon receipt of that 
message by the processor. Each of the subgroups is 
stored in a corresponding storage bank of the processor. 
Each of the storage banks has a validity designation 
associated therewith for said cryptographic key. The cur- 
rent cryptographic key is conpared to a cryptographic 
key from a prior message under which subgroups stored 
in the storage banks were authenticated to determine if 
the keys match. If the keys match, the validity designation 
for that key is set to a valid state for each storage bank 
that is storing data authenticated by the current mes- 
sage, without changing the key's validity designation for 
any other storage bank. If the keys do not match, the 
validity designation for that key is set to a valid state for 
each storage bank that Is storing data authenticated by 
the cun*ent message, and the validity designation for that 
key is set to an invalid state for ail other storage banks. 
As used herein, the act of setting a validity designation 
to a valid state is intended to include the act of simply 
maintaining or leaving unchanged a validity designation 
that is already in the valid state. Likewise, setting a valid- 
ity designation to an invalid stete may only require that a 
prior invalid state be maintained without actually reset- 
ting the validity designation. Access (e.g, to particular tel- 
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evision programs) under the current cryptographic key is 
limited to that provided by access rights contained in 
storage banks having a validity designation in a valid 
state for that key. 

In one implementation of the present invention, first 5 
and second different cryptographic keys under which 
access rights are authenticated are maintained by the 
access control processor at the same time. Each of the 
storage banks is provided with a first validity designation 
for the first key and a second validity designation for the io 
second key. Access via a particular one of the keys is 
limited to that provided by access rights contained in 
storage banks having a validity designation in a valid 
state for that key. 

One or more of the plurality of messages can carry is 
a replacement for one of the first and second keys, 
together with one or more subgroups authenticated 
under the replacement key. Each of the subgroups trans- 
mitted with the replacement key Is stored in a corre- 
sponding one of the storage banks. The validity 20 
designation for the replacement key is set to a valid state 
for those storage banks holding a subgroup authenti- 
cated under the replacement key. The validity designa- 
tion for th^ replacement key is set to an invalid state for 
those storage banks holding a subgroup that was not 25 
authenticated under the replacement key. The validity 
designation for the key that was not replaced will remain 
unchanged for those storage banks holding a subgroup 
authenticated under that key. The validity designation for 
the key that was not replaced Is set to an invalid state for 30 
those storage banks holding a subgroup that was not 
authenticated under that key. The message carrying the 
replacement key can also canry a duplicate of the key 
that was not replaced. In a preferred embodiment, 
replacement keys are transmitted on a periodic basis. 3S 
For example, a new "category key" for use during the next 
month can be transmitted while the category key for the 
current month is still maintained by the access control 
processor. 

The present invention also provides an access con- 40 
trol processor for Incrementally receiving authenticated 
access rights. The access control processor includes 
means for receiving a plurality of messages containing 
subgroups of access control data defining the access 
rights. Means are provided for deriving a cryptographic 4S 
key using the authenticated data contained in a current 
one of the messages upon receipt of that message. A 
plurality of storage banks is provided for storing different 
ones of the subgroups. Each of the storage banks has a 
validity designation associated therewith for the crypto- so 
graphic key. A comparator is provided for comparing the 
cryptographic key to a cryptographic key under which 
data contained in the storage banks was authenticated 
to determine if the keys match. Means responsive to the 
comparing means set the validity designation for the key ss 
to a valid state for each storage bank that is storing data 
authenticated by the cun-ent message, without changing 
the validity designation of any other storage bank, If the 
keys match. Means responsive to the comparing means 



set the validity designation for the key to a valid state for 
each storage bank that is storing data authenticated by 
the current message, and for setting the validity desig- 
nation for tiiat key to an invalid state for all other storage 
banks if the keys do not match. Access under the cryp- 
tographic key Is limited to that provided by access rights 
contained in storage banks having a validity designation 
in a valid state for that key. 

The processor can maintain first and second differ- 
ent cryptographic keys under which access rights are 
authenticated. A first validity designation is maintained 
for tiie first key and a second valkJity designation Is main- 
tained for tiie second key for each of tiie banks. Access 
via a particular one of tiie keys is limited to that provided 
by access rights contained in storage banks having a 
validity designation in a valid state for that key. 

A replacement can be provided for one of the first 
and secorKi keys together with one or more subgroups 
authenticated under the replacement. In such an embod- 
iment, the apparatus of the present invention further 
comprises means for storing each of the subgroups 
transmitted witti tiie replacement key in a corresponding 
one of the storage banks. Means are provided for setting 
the validity designation for the replacement key to a valid 
state for those storage banks holding a subgroup autiien- 
ticated under the replacement key. Means are provided 
for setting the validity designation for tiie replacement 
key to an invalid slate for those storage banks holding a 
subgroup tiiat was not authenticated under the replace- 
ment key. Means are also provided for setting the validity 
designation for the key tiiat was not replaced to an invalid 
state for tiiose storage banks holding a new sub^oup 
that was authenticated under the replacement key and 
differs from the previous subgroup stored in that storage 
bank. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Rgure 1 is a block diagram of an access control 
processor in accordance with the present invention; 
Rgure 2 is a block diagram illustrating, in simplified 
form, an example of a key hierarchy that can be used 
by an uplink processor to provide cryptographfoally 
secure data for transmission ; 
Rgure 3 is a block diagram Illustrating. In simplified 
form, an example of a key hierarchy that can be used 
for decryption of the cryptographically secure data 
at a decoder; 

Rgures 4a to 4c are diagrammatic Illustrations used 
to show how access rights are incrementally distrib- 
uted in accordance with tiie present invention; 
Rgures 5a to 5b illustrate, in diagrammatfo form, a 
further example of the invention in which a plurality 
of different cryptographic keys are maintained under 
which access rights are autiienticated and distrib- 
uted incrementally; 

Rgures 6a to 6b illustrate an example in which a 
replacement category key is provided witfi no 
change in access rights; and 
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Figures 7a to 7c illustrate an example in which two 
different subgroups of access rights are incremen- 
tally delivered and authenticated under two category 
keys. 

5 

DETAiLED DESCRIPTION OF THE INVENTION 

Figure 1 illustrates a secure access control proces- 
sor that can be used, for example, to receive and decrypt 
digital television signals in accordance with the present io 
invention. The signals to be decrypted are input via ter- 
minal 1 0 to a decryptor 20. The decryptor receives work- 
ing keys necessary to decrypt the input data from a 
processor. The processor addresses rnemory 16 in a 
conventional manner, in order to store various data is 
including decrypted keys, access rights and validity des- 
ignations as described in more detail below. Encrypted 
keys are inputto the processor 14 viaterminal 12. Acom- 
parator 22 is provided in accordance with the present 
invention in order to compare a newly derived key with a 20 
prior key stored in memory 1 6. This comparison is used 
in order to set the state of the validity designations men- 
tioned alxjve. 

Figure 2 describes, in simplified form, a key hierar- 
chy that can be used for key encryption, e.g., at a satellite 25 
uplink A unit key which is specific to a particular sub- 
scriber decoder is input via terminal 30 to an exclusive 
OR (XOR) function 31 which also receives access rights 
via terminal 32. Access control involves defining, on a 
unit by unit basis, the access rights granted to that par- 30 
ticuiar unit. Access rights are authenticated in a "cate- 
gory key." which changes periodically, for example on a 
monthly basis. Each program, which represents a time 
slice from one service such as HBO. defines specific 
"access requirements" which must be present in order 3S 
to grant the right to decrypt that program. The access 
requirements are authenticated in a "program key" which 
is valid for the duration of the program. An access control 
processor regularly receives "category rekey" messages 
defining its set of access rights. 40 

The unit key for a particular subscriber decoder is 
derived from quantities stored in a secure random 
access memory (RAM) at the time the access control 
processor within the decoder is manufactured. 

The access rights input via terminal 32 are also 45 
XOR'ed via XOR 38 with a category key input via termi- 
nal 34 and encrypted in a first encryption circuit 36. As 
indicated above, the category key is changed on a peri- 
odic basis. One specific category key is delivered, in an 
encrypted form, to a subset of the full population of so 
decoders. The operation used to encrypt the category 
key is Invertible. The property of invertability plus knowl- 
edge of unit keys allows a system operator to prepare an 
encrypted category key that will result in a desired cate- 
gory key. 55 

As shown in Figure 2, the encrypted category key is 
provided by an encryption circuit 40 that receives the out- 
puts of XOR's 31 and 38 as inputs. Thus, the encrypted 



category key is dependent on the unit key and category 
key and authenticates the access rights. 

The encoder also provides an encrypted program 
pre-key that is required by the decoder in order to derive 
the program key for the program. The program pre-key 
is input via terminal 42 to an encryption circuit 44 that 
encrypts the program pre-key under the category key to 
provide the encrypted program pre-key. 

The program pre-key is also input to a one-way func- 
tion 48 which receives the access requirements for the 
partrcular program via terminal 46. The one-way function 
combines the program pre-key and access requirements 
to provide the program key necessary to generate work- 
ing keys via a working key generator 50, in a conventional 
manner. Working keys are simply keys that vary with 
time, dependent upon the program key. Minimizing re- 
use of working keys throughout a program defends 
against certain cryptographic attacks. The working key 
is applied as an initializing key to decrypt the digital data 
comprising the digital service being access controlled. 
Such decryption typically uses a cipher-block-chaining 
(CBC) approach. 

Figure 3 illustrates an example of a key hierarchy 
that can be used for the decoder processing at the cat- 
egory and program key levels. The access rights input 
via terminal 54 are XOR'ed in an XOR 56 with the unit 
key for the particular decoder input via terminal 52. The 
result is input to a decryption circuit 58 which receives 
the XOR of the access rights and the output of a decryp- 
tion circuit 62. Thedecryption circuit 62 partially decrypts 
the encrypted category key received via terminal 60. 
Assuming that the access rights and unit key match 
those values used in the encryption process, the output 
of decryption circuit 58 will be the same category key that 
was encrypted. 

The recovered category key is used to decrypt the 
encrypted program pre-key input via terminal 66 to 
decryption circuit 68. This provides the program pre-key 
for input to one-way function 72. The access require- 
ments for the program to which the program pre-key cor- 
responds are input to one-way function 72 via terminal 
70. This enables the program key to be recovered for use 
by working key generator 74 in generating the working 
keys necessary to decipher the program. 

In practice, the access rights and access require- 
ments data blocks may be many bytes in length. Thus, 
the XOR, decrypt/encrypt, and one-way function opera- 
tions will typically be cascaded and repeated enough 
times in an actual implementation so that all data is fac- 
tored in. For example, the data blocks may have eight- 
byte data and seven-byte keys or may embody other 
cryptographic algorithms, as desired. The use of eight- 
byte data blocks and seven-byte keys is conventional in 
the Data Encryption Standard (DES) algorithm, details 
of which can be fourxJ in Federal Information Processing 
Standards Publication 46 ("FIPS Pub. 46") issued by the 
National Bureau of Standards, U.S. Department of Com- 
merce, "Announdng The Data Encryption Standard," 
January 15. 1977 and FIPS Pub. 74. "Guklelines for 



4 



7 



EP0717566A1 



8 



Implementing and Using the NBS Data Encryption 
Standard." April 1, 1981. 

When the number of bytes required to define access 
rights becomes large enough, one single category rekey 
message cannot hold the full description. The limitation s 
on category rekey length may be, for example, two hun- 
dred bytes. The present invention overcomes this mes- 
sage length limitation by delivering the access rights in 
an incremental manner More particularly, the present 
invention breaks access rights down into a plurality of io 
data subgroups stored in "banks." Each instance of the 
category rekey message carries one or more subgroups, 
up to the limitation of the length of the message. Each 
subgroup is stored in a respective bank in secure RAM 
in the access control processor along with at least one 15 
"validity bif*, used by the access control processor to 
keep track of the state of the bank. When the validity bit 
is set to a Valid" state (e.g.. validity bit set), it indicates 
that the bank hoWs data that can be used to match 
access requirements and grant authorization. When the 20 
validity bit is set to an "invalid" state (e g, validity bit 
clear), it indicates that the data in the bank cannot be 
used to grant authorization. 

Whenever a category rekey message an^ives in the 
access control processor, it is processed as follows: 2s 

1 . The category key is derived; 

2. If the category key matches the previously deliv- 
ered category key exactly, then any banks authenti- 
cated in the derivation of the current category key 30 
are marked valid and the validity bits associated with 
banks not involved in the derivation are left 
unchanged. 

3. If tiie category key does not exactiy match tiie pre- 
viously delivered category key, then any t)anks 3S 
authenticated in the derivation of the current cate- 
gory key are marked valid, but validity bits associ- 
ated with any banks not involved in tiie derivation 
are set to the invalid state. The new category key is 
stored. 4o 

This process enables the incremental delivery of 
access rights, while retaining cryptographic security in 
the autiientication of the access rights data delivered. A 
key elementof tiie inventive approach is that if tiie current 45 
category key exactiy matches tiie previous category key. 
the banks previously authenticated under the previous 
key and validated can remain validated. In this manner, 
later messages effectively build upon prior messages. 

Since any changes to access rights will affect the so 
resulting derivation of the category key, any attempt to 
tamper with ttie content of one's access rights data in 
order to steal services (i.e., a pirate attack) will prevent 
a key match from occurring. Thus, the prk)r banks' data 
will become invalid upon derivation of the incorrect cat- ss 
egory key 

The data labeled as "access rights" in Rgures 2 and 
3 does not have to exactiy comprise the access rights 
data ultimately stored in secure memory. The actual data 



validated may be the instructions used to define the data 
as it will be stored. The category rekey message may 
deliver data structures which include control bytes Indi- 
cating tiie format of data blocks to follow. The control byte 
may for example, indicate tiiat the bank indicated by the 
preceding f iekJ is to be cleared to zero, or that the bank 
data to follow is a list of bits to be set instead of a bit 
mask. Given tiiat the control bytes and parameters are 
authenticated, the result of the expansion or processing 
of the instructions is also authenticated. 

Figures 4a to 4c illusti-ate an example in which 
access rights data are delivered incrementally in accord- 
ance witii the present invention. In the initial state illus- 
trated by Figure 4a, the access control processor holds 
access rights data in two banks 82, 86. Each bank has 
a validity designation 84, 88 respectively associated 
tiierewith. In the initial state, the validity designations for 
both banks are set to a valid state (V=1). The access 
control processor also holds tiie key under which tiie 
access rights data is authenticated, namely category 
key X stored in key store 80. 

Rgure 4b illustrates tiie delivery of a new category 
key and subgroup of access rights data via a category 
rekey message generally designated 90. The category 
rekey message includes an encrypted category key 92 
(encrypted category key Y) as well as subgroup 94 of 
new access rights data The new category key is stored 
in key store 80 and the new subgroup of access rights 
data is stored in bank 82. Subgroup 94 is authenticated 
under the new category key 92. Thus, when this sub- 
group is stored in bank 82. the validity designation 84 for 
bank 82 is set to (i.e., remains) valid. On the other hand, 
since the new category key (category key Y) does not 
match the prior category key (category key X), the valid- 
ity designation 88 for bank 86 is set to an invalid state 
(V=0). This is necessary because the access rights data 
(access rights data A) currently stored in t>ank 86 has 
not been authenticated under the cun^ent category key 
(category key Y). 

Rgure 4c illustrates a subsequent delivery of new 
access rights data (i.e.. subgroup 95) for storage in bank 
86. The new access rights data is provided by category 
rekey message 96, which carries the same encrypted 
category key 92 (category key Y) that was carried by ttie 
previous category rekey message 90 (Figure 4b). Since 
subgroup 95 is authenticated under category key Y, 
which is stored in key store 80, the validity designation 
88 for bank 86 is set to a valid state when subgroup 95 
is loaded into bank 86. Since tiie result of derivation of 
the category key when authenticating subgroup 95 
resulted in tiie same category key (category key Y) that 
was already stored in key store 80. the validity designa- 
tion 84 for bank 82 is unchanged. The result is that both 
banks are now authenticated under category key Y, even 
tiiough tiie access rights subgroups stored In the two 
banks were delivered separately It Is noted that the sub- 
groups 94 and 95 could have been delivered in the oppo- 
site order, with the same end result. 
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In a preferred embodiment, the access control proc- 
essor holds two category keys. One category key is used 
for a current time period (e.g. the current month) and the 
second is used for a subsequent time period (e.g., the 
following month). Two keys are required to provide a 5 
seamless transition across the month boundary. Such an 
arrangement allows a system operator to predeliver next 
month's key without affecting the current month's trans- 
actions. In order words, a category key for a subsequent 
time period can be delivered without creating a period of w 
time where one or more banks are invalkJated during the 
delivery of the new key. 

In accordance with the present invention, the main- 
tenance of two category keys with only a single set of 
banks is permitted by providing a second validity desig- is 
nation for each bank. Each validity designation is asso- 
ciated with (i.e., "points" to) a specific category key. This 
can be accomplished, for example, either by quoting the 
sequence number of the category key or by using an 
even/odd parity scheme. 20 

In a dual key implementation, the processing rules 
are refined to accommodate the validation bytes for 
banks already validated by one key when the second key 
arrives. The category rekey message in such implemen- 
tations may treat a bank in one of three ways. In partic- 2S 
ular, the bank may be redefined by the category rekey 
message, it may be uninvolved in the authentication 
processing of the message, or the bank may be assumed 
to be unchanged from a definition received previously, 
but authenticated in the derivation of the new category 30 
key. In the later case, the data in the bank is involved in 
the encryption/decryption of the category key. but the 
actual data in the bank is not included in the message. 

Examples for the incremental delivery of access 
rights where two keys are held by the access control 35 
processor are illustrated in Figures 5a, 5b; 6a, 6b; and 
7a. 7b, 7c. Figures 5a and 6a each illustrate the same 
initial conditions, in which an even category key 1 DO (cat- 
egory key X) and an odd category key 1 02 (category key 
W) are present in the access control processor. A first 40 
bank 104 holds a first subgroup of access rights. Two 
validity designations are associated with this bank. Valid- 
ity designation 106 pertains to information authenticated 
under the even k^. Validity designation 108 pertains to 
information authenticated under the odd key. A second 45 
bank 1 1 0 holds a second subgroup of access rights. The 
second bank is associated with validity designations 112 
and 1 1 4. Validity designation 1 1 2 pertains to information 
authenticated under the even key and validity designa- 
tion 1 1 4 pertains to information authenticated under the so 
odd key. In the initial state, ail four validity designations 
are set to a valid state (Val). 

In Figure 5b, a category rekey message 120 is 
received which includes a new encrypted category key 
1 22 (category key Y) and a new subset of access rights ss 
124 to be stored in the first bank. Upon receipt of a cat- 
egory rekey message containing a single category key, 
as illustrated in Figure 5b. tiie category key is first derived 
by decrypting tiie encrypted category key as illustrated 



in Figure 3. The resultant category key is stored in cate- 
gory key store 102. The validity designation for each 
bank redefined or authenticated by the new category key 
stored in category key store 102 is set to a valid state. It 
is noted that any bank which is redefined by a category 
rekey nnessage is also authenticated under the keys car- 
ried by that message. 

For each bank redefined by a new category rekey 
message, the validity designation for the other category 
key (i.e., the category key that is not contained in the cat- 
egory rekey message) is set to an invalid state. Thus, in 
Figure 5b the validity designation 106 for the category 
key that is not contained in the category rekey message 
(i.e., "even" category key X stored in key store 1 00) is set 
to tiie invalid state (V^^O). Validity designation 108 is set 
(i.e., maintained) in a valid state since the "odd" key (cat- 
egory key Y stored in key store 1 02) was provided by tiie 
category rekey message and is the key under which the 
new access rights stored in the first bank 104 are authen- 
ticated. 

In tiie event that tiie newly derived category key 
does not exactiy match the previous value for that key 
(i.e., if a new even key does not match the prior even key 
or if a new odd key does not match the prior odd key), all 
validity designations associated with that key are set to 
an invalid state, except for those banks that are redefined 
and authenticated or simply authenticated by the new 
category key provided by tiie category rekey message. 
It should be noted that tiie validity designations associ- 
ated with the other category key are unchanged for any 
banks authenticated but not redefined in the present 
message. Thus, in Figure 5b, after the receipt of a new 
odd category key (category key Y) under which the 
access rights stored in the first bank 104 are autiientl- 
cated. tiie validity designations 106 and 114 will be set 
to an invalid state while the validity designations 1 08 and 
1 12 will remain in a valid state. More particularly, access 
designation 106 is set to an invalid state t^cause the 
even key (category key X) was not used to authenticate 
the access rights stored in first bank 104. Validity desig- 
nation 1 14 is set to an invalid state because the access 
rights stored in second bank 110 were not authenticated 
under tiie new odd i^y (category key Y). 

In the example illustrated by Figures 6a and 6b, a 
new odd category key 122 is provided by the category 
rekey message 125 without any change in the access 
rights. In this case, botii banks are reauthenticated in the 
delivery of the odd category key Thus, the validity des- 
ignations 108 and 1 14 for tiie odd key remain in a valid 
state. Since no banks were redefined, the validity desig- 
nations 106, 112 for the even key are also unchanged 
from the initial conditions illustrated in Figure 6a. 

In order to avoid disruption of a current month's 
authorization if any banks are redefined during delivery 
of the next month's key, both keys must be delivered in 
the category rekey message. An example of this is 
shown in Figures 7a tiirough 7c. Rgure 7a shows tiie 
same initial conditions illustrated in Figure 6a 
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Whenever two keys are present in the category 
rekey message, the authenticated data used in the 
encryption is common to both keys. In other words, the 
first key cannot be defined to authenticate one bank with 
the second key authenticating the second bank. If two s 
banl^ are redefined, both keys must authenticate both 
banks. 

Upon receipt of a category rekey message contain- 
ing encrypted odd and even category keys, one of the 
keys (e.g., the even key) Is first derived. The validity des- io 
ignations corresponding to the derived key are then set 
to a valid state for any banks redefined or authenticated 
by the category rekey message. If the derived key does 
not exactly match the previous value of that key, then all 
of the validity designations associated with that key, 15 
except for those banks redefined or authenticated there- 
under, are set to an invalid state. 

After the first category key has been derived and its 
con^esponding validity designations have been set or 
cleared, the second key is derived. The validity designa- 20 
tions for any banks redefined or authenticated in the cat- 
egory rekey message are then set to a valid state for the 
second key The derived second key Is then compared 
with the pi%vious value of that key. and absent an exact 
match, all of the validity designations associated with 25 
that key are set to an invaiki state except for those banks 
redefined or authenticated in the current category rekey 
message. 

In the exanrple of Rgure 7b, two keys 132 and 134 
are delivered in category rekey message 130, together 30 
with new access rights data 136 for the first bank 104. 
Category key X (derived from encrypted key 132) is the 
key for the cun-ent epoch (i.e.. the cun-ent month), and is 
therefore the same key that is already present in the 
access control processor and stored in key store 100. 3s 
Category key Y, which is derived from the encrypted key 
1 34 in the category rekey message 1 30, is a new key lor 
the next epoch and will overwrite the prior category key 
Win key store 102. 

After processing the category rekey message 130. 40 
the first bank 104. which stores the new access rights 
data 136. is validated for both key parities, since thefiist 
bank was redefined in the message and authenticated 
under both the even and odd keys. Thus, validity desig- 
nations 106 and 108 are both set to a valid state. The 4s 
validation of the second bank 1 10 is unchanged for the 
even key, since category key X as derived from the cat- 
egory rekey message ^actly matched the value already 
heM. Valklrty designation 112 is therefore set to (i.e., 
remains in) a valid state. The second bank validation is so 
cleared for the odd key, since category key Y as derived 
from the category retey message does not match the 
previous value of category key W held in the odd key 
store 102. Thus, validity designation 114 is set to an 
invalid state. 55 

In the example illustrated in Figure 7c, a category 
rekey message 140 arrives redefining the second bank 
1 10. The new category rekey message 140 immediately 
follows category rekey message 130 of Figure 7b. After 



processing this message, all banks become validated for 
both keys. More particularly the second bank 1 10 is val- 
idated for botii key parities, since that bank was rede- 
fined in the message and authenticated under both keys. 
The validation of first bank 1 04 is unchanged for the even 
key since category key X as derived matched the value 
already held in key store 100. Similarly the validation of 
first bank 104 for tiie odd key is unchanged, since cate- 
gory key Y as derived from category rekey message 1 40 
exactiy matches the previous value held in the odd key 
store 102. 

The final result of the delivery of the two category 
rekey messages as illustrated in Rgures 7b and 7c is 
that both banks are now valkJated for the new category 
key (category key Y). The delivery of the two messages 
could have occurred in either order without affecting tiie 
outcome. Furtiiermore, both banks continued to be val- 
idated for the cun'ent month's key (category key X) during 
the delivery process. Thus, no interruption in service 
results from the incremental delivery of access rights in 
accordance with the present invention. 

It should now be appreciated tiiat the present inven- 
tion provides a method and apparatus for incrementally 
delivering authenticated access rights to an access con- 
trol processor. Data defining tiie access rights is divided 
into a plurality of subgroups which are incrementally 
delivered to an access control processor. Valkiity desig- 
nations are used to keep track of authenticated access 
rights that can be used for providing access to a partic- 
ular data sti-eam. 

Altiiough tiie invention has been described in con- 
nection with various illustrated embodiments, those 
skilled in the art will appreciate that numerous adapta- 
tions and modifications may be made thereto without 
departing from tiie spirit and scope of the invention as 
set forth in the claims. 

Claims 

1 . A method for incrementally delivering authenticated 
access rights to an access control processor, com- 
prising the steps of: 

dividing data defining said access rights into 
a plurality of subgroups; 

transmitting said subgroups to sakJ proces- 
sor as authenticated data in a plurality of messages; 

deriving a current cryptographk; key using tiie 
authenticated data contained in a current message 
i^Don receipt of that message by said processor; 

storing each of said subgroups in a corre- 
sponding storage bank of said processor, each of 
said storage banks having a validity designation 
associated therewith for said cryptographic key; 

comparing said current cryptographic key to 
a cryptographic key from a prior message under 
which subgroups stored in said storage k)anks were 
authenticated to determine if the keys matoh; 

if said keys match, setting the validity desig- 
nation for that key to a valid state for each storage 
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bank that is storing data authenticated by said cur- 6. 
rent message, without changing that key's validity 
designation for any other storage bank; and 

if said keys do not match, setting the validity 
designation for that key to a valid state for each stor- 5 
age bank that is storing data authenticated by said 
current message and setting that key's validity des- 
ignation for all other storage banks to an invalid 
state; 

wherein access under the current crypto- 10 
graphic key is limited to that provkied by access 
rights contained in storage banks having a validity 
designation for that key in a valid state. 

A method in accordance with claim 1 wherein first is 
and second different cryptographic keys under 
which access rights are authenicated are main- 
tained by said processor at the same time, said 
method comprising the further step of: 

providing each of said storage banks with a 20 
first validity designation for said first key and a sec- 
ond validity designation for said second key; 

wherein access via a particular one of said 
keys is limrted to that provided by access rights con- 
tained in storage banks having a validity designation 25 
in a valid state for that key. 

A method in accordance with claim 1 or 2 comprising 
the further steps of: 

transmitting a replacement for one of said first 30 
and second keys in one of said messages together 
with one or more subgroups authentk;ated under 
said replacement; 

storing each of the subgroups transmitted 
with said replacement key in a corresponding one of 35 
said storage banks; 

setting the validity designation for the 7- 
replacement key to a vaiki state for those storage 
banks hokjing a subgroup authenticated under the 
replacement key; 40 

setting the validity designation for the 
replacement key to an invalid state Ibr those storage 
banks hokling a subgroup that was not authenti- 
cated under the replacement key; and 

setting the validity designation for the key that 45 
was not replaced to an invalid state for those storage 
banks holding a subgroup that was authenticated 
under the replacement key and differs from the pre- 
vious subgroup stored in that storage bank. 

so 8. 

A method in accordance with claim 3 wherein the 
message carrying said replacement key also carries 
a duplicate of the key that was not replaced. 

A method in accordance with any of claims 1 to 4 ss 
comprising the further step of transmitting replace- 
ment keys on a periodic basis. 



An access control processor for incrementally 
receiving authenticated access rights, comprising: 

means for receiving a plurality of messages 
containing subgroups of access control data defin- 
ing saki access rights; 

means for deriving a current cryptographic 
key using the authenticated data contained in a cur- 
rent one of said messages upon receipt of that mes- 
sage; 

a plurality of storage banks for storing differ- 
ent ones of said subgroups, each of saki storage 
banks having a validity designation associated 
therewith for said cryptographic key; 

means for comparing said current crypto- 
graphic key to a cryptographic key under which data 
contained in saki storage banks was authenticated 
to determine if the keys match; 

means responsive to said comparing means 
for setting the validity designation for the current 
cryptographic key to a valid state for each storage 
bank that is storing data authentrcated by said cur- 
rent message, without changing that key's validity 
designation for any other storage bank, if the keys 
match; and 

means responsive to said comparing means 
for setting the validity designation for the current 
cryptographic key to a valid state for each storage 
bank that is storing data authenticated by said cur- 
rent message, and for setting that ke/s validity des- 
ignation for all other storage banks to an invalid state 
if the keys do not match; 

wherein access under the current crypto- 
graphic key is limited to that provided by access 
rights contained in storage banks having a validity 
designation for that key in a valkl state. 

Apparatus in accordance with claim 6 wherein: 

said processor maintains first and second dif- 
ferent cryptographic keys under which access rights 
are authenticated; 

a first validity designation is maintained for 
said first key and a second validity designation is 
maintained for said second key lor each of said 
banks; and 

access via a particular one of said keys is lim- 
ited to that provided by access rights contained in 
storage banks having a valkiity designation in a valid 
state for that key. 

Apparatus in accordance with claim 6 or 7 wherein 
a replacement is provided for one of saki first and 
second l«ys together with one or more sut>groups 
authenticated under said replacement, saki appara- 
tus further comprising: 

means for storing each of the subgroups 
transmitted with said replacement key in a corre- 
sponding one of said storage banks; 

means for setting the validity designation for 
the replacement key to a valid state for those storage 
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banks holding a subgroup authenticated under the 
replacement key; 

means for setting the validity designation for 
the replacement key to an invalid state for those stor- 
age banks holding a subgroup that was not authen- 5 
ticated under the replacement key; 

means for setting the validity designation for 
the key that was not replaced to a valid state for 
those storage banks holding a subgroup authenti- 
cated under that key; and 

means for setting the validity designation for 
the key that was not replaced to an invalid state for 
those storage banks holding a subgroup that was 
not authenticated under tiiat key. 
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